I've created fields from regex expressions before but never from the source field. This is an example of the value within the source field:  \\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\  I would like to extract the business unit value and call it Business Unit. I have access to create a props.conf file.   Can you help?   Kind regards, Vishal ... View more

Hi all, I am getting data in via an API (using the add on builder) but having  creating a regex which splits it into a better format rather than 1 big event. Here is an example of the event:     "@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs", "@odata.count": 111, "value": [ { "Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111", "StartTime": "2023-01-20T14:08:34.607Z", "EndTime": "2023-01-20T14:08:49.517Z", "State": "Successful", "JobPriority": "Normal", "Source": "Agent", "SourceType": "Agent", "BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111", "Info": "Job completed", "CreationTime": "2023-01-20T14:08:34.607Z", "StartingScheduleId": null, "ReleaseName": "RobotProdLogin_DEV", "Type": "Attended", "InputArguments": "", "OutputArguments": "{}", "HostMachineName": "AAAAAAAA11111", "HasMediaRecorded": false, "PersistenceId": null, "ResumeVersion": null, "StopStrategy": null, "RuntimeType": "Development", "RequiresUserInteraction": true, "ReleaseVersionId": 1111, "EntryPointPath": null, "OrganizationUnitId": 1, "OrganizationUnitFullyQualifiedName": "Default", "Reference": "", "ProcessType": "Process", "ProfilingOptions": null, "ResumeOnSameContext": false, "LocalSystemAccount": "AAAAAA01\\AAA11AA", "OrchestratorUserIdentity": null, "Id": 00000 }, { "Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111", "StartTime": "2023-01-20T14:08:34.607Z", "EndTime": "2023-01-20T14:08:49.517Z", "State": "Successful", "JobPriority": "Normal", "Source": "Agent", "SourceType": "Agent", "BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111", "Info": "Job completed", "CreationTime": "2023-01-20T14:08:34.607Z", "StartingScheduleId": null, "ReleaseName": "RobotProdLogin_DEV", "Type": "Attended", "InputArguments": "", "OutputArguments": "{}", "HostMachineName": "AAAAAAAA11111", "HasMediaRecorded": false, "PersistenceId": null, "ResumeVersion": null, "StopStrategy": null, "RuntimeType": "Development", "RequiresUserInteraction": true, "ReleaseVersionId": 1111, "EntryPointPath": null, "OrganizationUnitId": 1, "OrganizationUnitFullyQualifiedName": "Default", "Reference": "", "ProcessType": "Process", "ProfilingOptions": null, "ResumeOnSameContext": false, "LocalSystemAccount": "AAAAAA01\\AAA11AA", "OrchestratorUserIdentity": null, "Id": 00000 },   How i want it to look. Event 1   "@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs", "@odata.count": 111, "value": [ {   Event 2   { "Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111", "StartTime": "2023-01-20T14:08:34.607Z", "EndTime": "2023-01-20T14:08:49.517Z", "State": "Successful", "JobPriority": "Normal", "Source": "Agent", "SourceType": "Agent", "BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111", "Info": "Job completed", "CreationTime": "2023-01-20T14:08:34.607Z", "StartingScheduleId": null, "ReleaseName": "RobotProdLogin_DEV", "Type": "Attended", "InputArguments": "", "OutputArguments": "{}", "HostMachineName": "AAAAAAAA11111", "HasMediaRecorded": false, "PersistenceId": null, "ResumeVersion": null, "StopStrategy": null, "RuntimeType": "Development", "RequiresUserInteraction": true, "ReleaseVersionId": 1111, "EntryPointPath": null, "OrganizationUnitId": 1, "OrganizationUnitFullyQualifiedName": "Default", "Reference": "", "ProcessType": "Process", "ProfilingOptions": null, "ResumeOnSameContext": false, "LocalSystemAccount": "AAAAAA01\\AAA11AA", "OrchestratorUserIdentity": null, "Id": 00000 },     Can you help? ... View more

Hi there, I have a search where I want to see where one date field is the same or starts before another but my search results only shows me events where both dates are the same, can you help? I am trying to find events which contains an end date that is before the created date. The data isn't create so a typical date entry would be 12112022 index=UAT sourcetype="Test_Txt_data" | eval end_date_epoch = strptime(end_date,"%d%m%Y") | eval created_date_epoch = strptime(created_date,"%d%m%Y") | where end_date_epoch <= created_date_epoch | eval end_date = strftime(end_date_epoch, "%d/%m/%Y"), created_date = strftime(created_date_epoch, "%d/%m/%Y") | table proposal, created_date, end_date ... View more

I have a simple search which is satisfaction_date=0 OR close_date=0 AND status=8 in the previous month. I now have a requirement where users want to see (last 30 days) where those records are now tagged with a different status. The unique identifier with each record is a proposal_id.   i.e in October proposal vdutta1 had a satisfaction date as 0 and status as 8. Proposal vdutta1 now has a satisfaction date as 0 and status as 6 so this record should be shown.   Can you help? ... View more

Hi there, I used to have a couple of alerts which worked using a crons expression from Monday to Saturday (*/15 7-19 * * 1-) and another for Sunday (*/15 10-15 * * 0). The requirements changed so I needed the Saturday and Sunday alert timings to be the same. I used (*/15 10-15 * * 6-7) but that didn't that didn't trigger an alert. I tried */15 10-15 * * SAT-SUN but it doesn't accept that format.   Can you help me with a crons expression for Saturday and Sunday? ... View more

I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field. key=$result._time$ won't work as the event doesn't exist. Is there a way to add a unique value into that key field on an event that doesn't exist? The search is: sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS" ... View more